From owner-freebsd-pf@FreeBSD.ORG Sat Jun 6 17:15:52 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 019F6106564A for ; Sat, 6 Jun 2009 17:15:52 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from mx1.cujae.edu.cu (mx1.cujae.edu.cu [200.55.139.24]) by mx1.freebsd.org (Postfix) with ESMTP id 883948FC20 for ; Sat, 6 Jun 2009 17:15:50 +0000 (UTC) (envelope-from vila@tesla.cujae.edu.cu) Received: from newton.cujae.edu.cu (newton.cujae.edu.cu [10.8.1.69]) by mx1.cujae.edu.cu (Postfix) with ESMTP id C2E2A1AF8E; Sat, 6 Jun 2009 12:00:49 -0400 (EDT) Received: by newton.cujae.edu.cu (Postfix, from userid 1002) id D13BE40A5; Sat, 6 Jun 2009 13:30:15 -0400 (CDT) Received: from localhost (laplace.cujae.edu.cu [10.8.1.82]) by newton.cujae.edu.cu (Postfix) with ESMTP id 2F3F740AA; Sat, 6 Jun 2009 13:30:14 -0400 (CDT) Received: from netmanager.cujae.edu.cu (netmanager.cujae.edu.cu [10.8.1.68]) by correo.cujae.edu.cu (Horde MIME library) with HTTP; Sat, 06 Jun 2009 13:15:45 -0400 Message-ID: <20090606131545.kk8k1qf7a8oc4os8@correo.cujae.edu.cu> Date: Sat, 06 Jun 2009 13:15:45 -0400 From: vila@tesla.cujae.edu.cu To: Ermal =?iso-8859-1?b?THXnaQ==?= References: <20090606124949.japda2vrkck4wk8o@correo.cujae.edu.cu> <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> In-Reply-To: <9a542da30906060955i4a1097bcpad5fd78587d7e169@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: quoted-printable User-Agent: Internet Messaging Program (IMP) H3 (4.1.1) Cc: freebsd-pf@freebsd.org Subject: Re: Connmark target X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Jun 2009 17:15:52 -0000 Ermal Lu=E7i ha escrito: > On Sat, Jun 6, 2009 at 6:49 PM, wrote: >> Vlad Galu ha escrito: >> >>> On Sat, Jun 6, 2009 at 5:57 AM, wrote: >>>> >>>> Hi folks! >>>> >>>> I=B4m trying to figure out if there is a way to make connection marking= in >>>> a >>>> similar way as the iptables=B4s CONNMARK target does? >>>> >>>> Does pf supports this feature? >>>> >>>> My intentions are to tag an outgoing packet, transfer the tag to the ho= le >>>> connection and then use that tag to mark incoming packets belonging to >>>> the >>>> same connection. >>>> >>>> Also, i would like then to use that mark to enqueue marked packets to >>>> hfsc >>>> clases. >>>> >>>> I=B4ve done all of this in linux but never on freebsd, I=B4ve searched = in >>>> pf=B4s >>>> man page and the FAQ without success. >>>> >>>> thanks in advance, >>>> >>>> evelio vila >>> >>> =A0 Hi evelio, see below: >>> -- cut here -- >>> =A0 =A0 tag >>> =A0 =A0 =A0 =A0 =A0 Packets matching this rule will be tagged with the s= pecified >>> =A0 =A0 =A0 =A0 =A0 string. =A0The tag acts as an internal marker that c= an be used to >>> =A0 =A0 =A0 =A0 =A0 identify these packets later on. =A0This can be used= , for >>> example, to >>> =A0 =A0 =A0 =A0 =A0 provide trust between interfaces and to determine if= packets >>> have >>> =A0 =A0 =A0 =A0 =A0 been processed by translation rules. =A0Tags are "st= icky", meaning >>> =A0 =A0 =A0 =A0 =A0 that the packet will be tagged even if the rule is n= ot the last >>> =A0 =A0 =A0 =A0 =A0 matching rule. =A0Further matching rules can replace= the tag with >>> a >>> =A0 =A0 =A0 =A0 =A0 new one but will not remove a previously applied tag= . =A0A packet >>> is >>> =A0 =A0 =A0 =A0 =A0 only ever assigned one tag at a time. =A0Packet tagg= ing can be >>> done >>> =A0 =A0 =A0 =A0 =A0 during nat, rdr, or binat rules in addition to filte= r rules. >>> =A0Tags >>> =A0 =A0 =A0 =A0 =A0 take the same macros as labels (see above). >>> >>> =A0 =A0 tagged >>> =A0 =A0 =A0 =A0 =A0 Used with filter or translation rules to specify tha= t packets >>> must >>> =A0 =A0 =A0 =A0 =A0 already be tagged with the given tag in order to mat= ch the rule. >>> =A0 =A0 =A0 =A0 =A0 Inverse tag matching can also be done by specifying = the ! >>> operator >>> =A0 =A0 =A0 =A0 =A0 before the tagged keyword. >>> -- and here -- >>> >>> =A0Anyway, I believe that keeping state for the desired outgoing >>> connections should be enough all by itself. You would simply add the >> >> Indeed no, =A0what i want is also to mark the connection to be able then >> to mark incoming packets beloging to the same connection. >> >>> "queue " directive at the end of your pass out rule, even >>> though the interface packets go out through is the "external" one, and >>> you want to do shaping on the "internal" one but, as I understand, for >>> that you also need floating (not if-bound) states. If I'm wrong, I'd >> >> i am not sure what you mean with "floating (not if-bound) states" >> could you please explain this. >>> >>> like somebody with better pf knowledge to correct me :) > > pf(4) is not iptables. So before using it read more about it. > I=B4m aware of that. I think its pretty obvius that my post is simply trying to figure out =20 how to achieve with pf something that i use to do with netfilter. I=B4ve read this before but nothing comes up to me. http://www.openbsd.org/faq/pf/tagging.html thanks anyway ermal regards, evelio vila > http://home.nuug.no/~peter/pf/en/ > http://www.openbsd.org/faq/pf > > > >> thanks for your quick answer vlad. >> >> evelio vila >> >> >> >> ---------------------------------------------------------------- >> This message was sent using IMP, the Internet Messaging Program. >> >> >> VI Conferencia Internacional de Energ=EDa Renovable, Ahorro de Energ=EDa = y >> Educaci=F3n Energ=E9tica >> 9 - 12 de Junio 2009, Palacio de las Convenciones >> ...Por una cultura energ=E9tica sustentable >> www.ciercuba.com_______________________________________________ >> freebsd-pf@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >> > > > > -- > Ermal > ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. VI Conferencia Internacional de Energía Renovable, Ahorro de Energía y Educación Energética 9 - 12 de Junio 2009, Palacio de las Convenciones ...Por una cultura energética sustentable www.ciercuba.com